Hello community, here is the log from the commit of package polkit for openSUSE:Leap:15.2 checked in at 2020-01-30 14:50:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/polkit (Old) and /work/SRC/openSUSE:Leap:15.2/.polkit.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "polkit" Thu Jan 30 14:50:12 2020 rev:20 rq:758526 version:0.116 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/polkit/polkit.changes 2020-01-15 15:44:35.331294208 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.polkit.new.26092/polkit.changes 2020-01-30 14:51:13.770928921 +0100 @@ -2 +2 @@ -Tue Jul 23 06:29:16 UTC 2019 - Marcus Meissner <meiss...@suse.com> +Fri Nov 29 10:36:53 UTC 2019 - Bjørn Lie <bjorn....@gmail.com> @@ -4,3 +4,49 @@ -- CVE-2019-6133.patch: Fixed improper caching of auth decisions, - which could bypass uid checking in the interactive backend. - (bsc#1121826 CVE-2019-6133) +- Fix usage of libexecdir instead of prefix/lib where applicable. + +------------------------------------------------------------------- +Tue Oct 8 12:41:44 UTC 2019 - Marcus Meissner <meiss...@suse.com> + +- polkit-keyinit.patch: add pam_keyinit to the polkit configuration (bsc#1144053) + +------------------------------------------------------------------- +Wed May 29 07:57:26 UTC 2019 - Bjørn Lie <bjorn....@gmail.com> + +- Update to version 0.116: + + Leaking zombie child processes. + + Possible resource leak found by static analyzer. + + Output messages tuneup. + + Sanity fixes. + + pkttyagent tty echo disabled on SIGINT. + + HACKING: add link to Code of Conduct. + + polkitbackend: comment typos fix. + + configure.ac: fix detection of systemd with cgroups v2. + + CVE-2018-19788 High UIDs overflow fix. + + CVE-2019-6133 Slowfork vulnerability fix. + + Allow unset process-uid. + + Port the JS authority to mozjs-60. + + Use JS_EncodeStringToUTF8. + + Updated translations. +- Replace pkgconfig(mozjs-52) with pkgconfig(mozjs-60) + BuildRequires following upstreams changes. +- Drop patches fixed upstream: + + polkit-fix-possible-resource-leak.patch + + polkit-fix-leaking-zombie-child-processes.patch + + polkit-CVE-2018-19788.patch +- Refresh patches with quilt. + +------------------------------------------------------------------- +Fri May 10 14:44:20 UTC 2019 - Dominique Leuenberger <dims...@opensuse.org> + +- Use systemd_ordering instead of systemd_requires: strictly + speaking, polkit does not require systemd to be present. Just + that when we install on a system with systemd (e.g outside + containers) we would want systemd to be present before + installing polkit. Help also reduce a cycle without special hacks + in systemd.spec. + +------------------------------------------------------------------- +Fri Apr 26 11:06:05 UTC 2019 - mvet...@suse.com + +- bsc#1130588: Require shadow instead of old pwdutils +- User proper Requires(pre)/Requires(post) for permissions and + shadow @@ -15 +61,9 @@ -Wed Jul 4 12:00:12 UTC 2018 - meiss...@suse.com +Fri Aug 17 07:56:08 UTC 2018 - bjorn....@gmail.com + +- Add polkit-fix-possible-resource-leak.patch: Fix possible + resource leak found by static analyzer. +- Add polkit-fix-leaking-zombie-child-processes.patch: polkitd: fix + zombie not reaped when js spawned process timed out (fdo#106021). + +------------------------------------------------------------------- +Wed Jul 11 10:48:37 UTC 2018 - meiss...@suse.com @@ -17,2 +71,4 @@ -- 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch: - Fixed trusting the client-supplied UID (CVE-2018-1116 bsc#1099031) +- Update to version 0.115: + - Fix CVE-2018-1116: Trusting client-supplied UID (bsc#1099031) + - jsauthority: pass "%s" format string to remaining report function + (obsoletes polkit-jsauthority-pass-format-string.patch) Old: ---- 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch CVE-2019-6133.patch polkit-0.114.tar.gz polkit-0.114.tar.gz.sign polkit-CVE-2018-19788.patch polkit-jsauthority-pass-format-string.patch New: ---- polkit-0.116.tar.gz polkit-0.116.tar.gz.sign polkit-keyinit.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ polkit.spec ++++++ --- /var/tmp/diff_new_pack.dJywhb/_old 2020-01-30 14:51:14.398929255 +0100 +++ /var/tmp/diff_new_pack.dJywhb/_new 2020-01-30 14:51:14.402929257 +0100 @@ -1,7 +1,7 @@ # # spec file for package polkit # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,12 +17,12 @@ Name: polkit -Version: 0.114 +Version: 0.116 Release: 0 Summary: PolicyKit Authorization Framework License: LGPL-2.1-or-later Group: System/Libraries -URL: http://www.freedesktop.org/wiki/Software/polkit/ +Url: http://www.freedesktop.org/wiki/Software/polkit/ Source0: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz Source1: http://www.freedesktop.org/software/polkit/releases/%{name}-%{version}.tar.gz.sign Source2: %{name}.keyring @@ -34,14 +34,8 @@ Patch1: polkit-gettext.patch # PATCH-FIX-UPSTREAM pkexec.patch sch...@suse.de -- pkexec: allow --version and --help even if not setuid Patch2: pkexec.patch -# PATCH-FIX-UPSTREAM polkit-jsauthority-pass-format-string.patch bgo#105865 bjorn....@gmail.com -- jsauthority: pass "%s" format string to remaining report function -Patch3: polkit-jsauthority-pass-format-string.patch -# PATCH-FIX-UPSTREAM 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch bsc#1099031 mgerst...@suse.com -- security fix -Patch4: 0001-Fix-CVE-FIXME-Trusting-client-supplied-UID.patch -# PATCH-FIX-UPSTREAM polkit-CVE-2018-19788.patch bsc#1118277 meiss...@suse.com -- 2cb40c4d5feeaa09325522bd7d97910f1b59e379 -Patch5: polkit-CVE-2018-19788.patch -# PATCH-FIX-UPSTREAM CVE-2019-6133.patch bsc#1121826 meiss...@suse.com -- c898fdf4b1aafaa04f8ada9d73d77c8bb76e2f81 -Patch6: CVE-2019-6133.patch +# PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file +Patch3: polkit-keyinit.patch BuildRequires: gcc-c++ BuildRequires: gtk-doc @@ -51,20 +45,19 @@ BuildRequires: libtool BuildRequires: pam-devel BuildRequires: systemd-rpm-macros -BuildRequires: pkgconfig(gio-unix-2.0) >= 2.30.0 -BuildRequires: pkgconfig(gmodule-2.0) >= 2.30.0 +BuildRequires: pkgconfig(gio-unix-2.0) >= 2.32.0 +BuildRequires: pkgconfig(gmodule-2.0) >= 2.32.0 BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2 BuildRequires: pkgconfig(libsystemd) -BuildRequires: pkgconfig(mozjs-52) +BuildRequires: pkgconfig(mozjs-60) BuildRequires: pkgconfig(systemd) # gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle. #!BuildIgnore: ruby Requires: dbus-1 Requires: libpolkit0 = %{version}-%{release} -# FIXME: use proper Requires(pre/post/preun/...) -PreReq: permissions -PreReq: pwdutils -%systemd_requires +Requires(pre): shadow +Requires(post): permissions +%systemd_ordering # Upstream First - Policy: # Never add any patches to this package without the upstream commit id @@ -121,18 +114,10 @@ This package provides the GObject Introspection bindings for PolicyKit. %prep -%setup -q -%patch0 -p1 -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 +%autosetup -p1 %build -export V=1 -# needed for patch1 and patch2 +# Needed for patch1 and patch2 autoreconf -fi export SUID_CFLAGS="-fPIE" export SUID_LDFLAGS="-z now -pie" @@ -144,8 +129,8 @@ --enable-introspection \ --enable-examples \ --enable-libsystemd-login \ - --libexecdir=%{_libexecdir}/polkit-1 -make %{?_smp_mflags} + %{nil} +%make_build %install %make_install @@ -213,8 +198,8 @@ %{_bindir}/pkcheck %verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec %{_bindir}/pkttyagent -%dir %{_libexecdir}/polkit-1 -%{_libexecdir}/polkit-1/polkitd +%dir %{_prefix}/lib/polkit-1 +%{_prefix}/lib/polkit-1/polkitd %verify(not mode) %attr(4755,root,root) %{_prefix}/lib/polkit-1/polkit-agent-helper-1 # $HOME for polkit user %dir %{_localstatedir}/lib/polkit ++++++ pkexec.patch ++++++ --- /var/tmp/diff_new_pack.dJywhb/_old 2020-01-30 14:51:14.434929274 +0100 +++ /var/tmp/diff_new_pack.dJywhb/_new 2020-01-30 14:51:14.438929276 +0100 @@ -6,10 +6,10 @@ building packages that want to check for pkexec in an emulated environment that does not support setuid invocation (eg. QEMU linux-user). -Index: polkit-0.114/src/programs/pkexec.c +Index: polkit-0.116/src/programs/pkexec.c =================================================================== ---- polkit-0.114.orig/src/programs/pkexec.c 2018-04-03 20:16:17.000000000 +0200 -+++ polkit-0.114/src/programs/pkexec.c 2018-04-10 02:48:03.031508016 +0200 +--- polkit-0.116.orig/src/programs/pkexec.c 2018-05-31 13:52:53.000000000 +0200 ++++ polkit-0.116/src/programs/pkexec.c 2019-05-31 22:55:58.014504104 +0200 @@ -504,27 +504,6 @@ main (int argc, char *argv[]) /* Disable remote file access from GIO. */ setenv ("GIO_USE_VFS", "local", 1); ++++++ polkit-0.114.tar.gz -> polkit-0.116.tar.gz ++++++ ++++ 18838 lines of diff (skipped) ++++++ polkit-keyinit.patch ++++++ Index: polkit-0.116/data/polkit-1.in =================================================================== --- polkit-0.116.orig/data/polkit-1.in +++ polkit-0.116/data/polkit-1.in @@ -4,3 +4,4 @@ auth include @PAM_FILE_INCLUD account include @PAM_FILE_INCLUDE_ACCOUNT@ password include @PAM_FILE_INCLUDE_PASSWORD@ session include @PAM_FILE_INCLUDE_SESSION@ +session optional pam_keyinit.so revoke [force] ++++++ polkit-no-wheel-group.patch ++++++ --- /var/tmp/diff_new_pack.dJywhb/_old 2020-01-30 14:51:14.686929408 +0100 +++ /var/tmp/diff_new_pack.dJywhb/_new 2020-01-30 14:51:14.686929408 +0100 @@ -1,7 +1,7 @@ -Index: polkit-0.107/src/polkitbackend/50-default.rules +Index: polkit-0.116/src/polkitbackend/50-default.rules =================================================================== ---- polkit-0.107.orig/src/polkitbackend/50-default.rules -+++ polkit-0.107/src/polkitbackend/50-default.rules +--- polkit-0.116.orig/src/polkitbackend/50-default.rules 2018-03-27 13:46:06.000000000 +0200 ++++ polkit-0.116/src/polkitbackend/50-default.rules 2019-05-31 22:55:57.990503876 +0200 @@ -8,5 +8,5 @@ // about configuring polkit. ++++++ polkit.keyring ++++++ --- /var/tmp/diff_new_pack.dJywhb/_old 2020-01-30 14:51:14.706929418 +0100 +++ /var/tmp/diff_new_pack.dJywhb/_new 2020-01-30 14:51:14.706929418 +0100 @@ -624,3 +624,33 @@ xswOcJBwoxssbQmiBaFp13Frzhjwjwqer+npV6FuOLjRsnMd7h9EgiGYGqH385w0 =DnDa -----END PGP PUBLIC KEY BLOCK----- + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: SKS 1.1.6 +Comment: Hostname: fks.pgpkeys.eu + +mQENBFtkaE8BCADL6NFIHYl5RDKRyDm2/igDWiveVFWzUZGJeBBkAcpZcstJK0mDxwWbcOwE ++XvMUux4HwZCymZb+5SctrHyQvS629BTbynfZv5JOIAKl1Hg24yklBGYJ1LX/4H140Y2cGTN +3xymGisSYMNF11Cngsw1qND8NJ6fqadHafn8s1gvphFkCs8LpoJgTBrLEUQZpnpSRcIP+/UR +2R/ErCkwE9erPHfksj+B+hGD6PKqeLPSvLq5F9L+axnMgH784QQADn3BaM2ZePtC+gbUYgsY +ra6jwsEsjZmd/nauVex2rB3MaRgiwTg6+cmDXgd5a0w2CPMFlQiWiamb7/UfCxsFRgs3ABEB +AAG0J0phbiBSeWJhciAoUmVkIEhhdCkgPGpyeWJhckByZWRoYXQuY29tPokBOAQTAQIAIgUC +W2RoTwIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQjOswMP/c4lha5wf8C7+FoCIU +NE83GgnG4Vp7jJFgn1B8ea7Jvya0X37kHWBUueQv7F0M+3qUtVQNHDSIfehysiAtNncWh58V +n9JWohzvWTGnZ1bY8IeU/MxCrBrWaxqsjsWOPq1smtnIas7LLkn44oOlyOXDVOp/JOk4QxoO +gf6GIERpit/0dBNjFSkeL037ocB/f6WekG4MpYtp/U4gy3MAWhBKXxJUTgJFRSiLtGEdnUGW +wG8ZbulGRRO79rWg9ThvpPEEqZG/2bm4kWMlaaaDsJ9lbPA4rN0uU0ny3/2COwqKtpwrLvRE +duRcVG9vpnCl5zkFtNc00p2RRBrQJ/PLq2OdSrGMf0skhbkBDQRbZGhPAQgAxaVnvy+O0sUR +/P1e7CAQKg7jSXFoUIHVpT/F7Q2t3hs2I3wmQTAy92CVWDXJDDpN93VR6IJQzws0F7IV9+Js +xl4Hu6ELyaOpMD0QVb09s9C0s2nz88rn6WMoy0wuVJcB0h8aNzUBjRsgi94XTH44tlcVZj4q +/GbQaJy8kBNu5V6sAQg64h5xuU4tow8tkzL78bNOLeYXyEYOO+Dlt/879oxQca+dTHXr13NV +wKFqcduBIcsQZd5JnQFeXo+8XWpmeS/wwX0RW+J0mSYWvjP/fMeE7BIftbbolqr+HwwppVNP +ouFDPq/9bKmQs7USen6rOJ6uIqMhPkopgXXOle3EEQARAQABiQEfBBgBAgAJBQJbZGhPAhsM +AAoJEIzrMDD/3OJYmlMH/0NTd/lZ0jh0djRYlRcz0OIT9B/2gYmNoekEsciEliPS3WEN+M2s +kZM/L/lLFCbD4dOqlXqb84Yvch9iC/VzCEYCEs8Kz647H2mBnyHxxOKtgrXJpWhZoRzs9pzb +AVCEkl5+PjFRwhn7Nwpm/EG+02VgR9JC1ZdX28iN3a3axbLuI9RIZznRRL5Jr5ePMJ0nRvWY +HX4K+Wt5UhHuo1Kaj9Yn0UcTCj7WKznRjNtL6S4N4mS8OJwi8jZ8Rvb3GFCViEaVz/+ZNBaW +HGJO/6RB1aNr3SlD155eTM6H6v2lsNn4gpc7T3GL9AzEsuUef5mqo1EsO+OJeBrQv8vVybJx +GJ8= +=QrX7 +-----END PGP PUBLIC KEY BLOCK-----